Rule: VPC Security Groups Should Restrict Ingress Access on Common Ports

Rule Description:

Troubleshooting Steps:

2. 1.
   Verify the VPC security group settings: Check if the VPC security groups associated with the resources have the necessary rules to restrict access to the specified ports.
4. 2.
   Check the inbound rules: Ensure that the ingress rules are defined correctly and restrict access to the necessary IP ranges and ports for FFIEC compliance.

Necessary Codes:

Step-by-Step Guide for Remediation:

2. 1.
   Log in to the AWS Management Console.
4. 2.
   Open the Amazon VPC service.
6. 3.
   In the navigation pane, click on "Security Groups."
8. 4.
   Identify the security groups associated with your VPC resources that need to be modified. Note down their names.
10. 5.
    Click on the security group you want to modify.
12. 6.
    In the "Inbound Rules" tab, locate the rule for each port (20, 21, 22, 3306, 3389, and 4333) and delete any existing rule that allows ingress access from the 0.0.0.0/0 IP range.
14. 7.
    Add a new rule for each port by clicking on the "Add Rule" button.
16. 8.
    Set the following values for each rule:

    • Type: Custom TCP Rule
    • Protocol: TCP
    • Port Range: Specify the desired port (20, 21, 22, 3306, 3389, or 4333)
    • Source: Choose "Custom" and enter the CIDR range allowed for FFIEC compliance (e.g., 192.0.2.0/24).
18. 9.
    Repeat steps 7-8 for each port that needs to be restricted.
20. 10.
    Click on the "Save Rules" button to apply the changes to the security group.
22. 11.
    Repeat steps 5-10 for each security group that requires modification.
24. 12.
    Verify the rules by checking the inbound rules for the security groups associated with the resources in your VPC.
26. 13.
    Test the restricted access by attempting to access the specified ports from an IP address not included in the FFIEC-compliant IP range. The access should be denied.